Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

HTTP Exception after migrating TMS with TMSPE

Migrated TMS 13.2 with TMSPE from physical server to VM 2008 R2, which went fine, however, VCS-C is now giving me HTTP exception status for all provisioning services; users, phonebooks and devices.

Status: failed

Response: HTTP Exception

Reason: (400) HTTP Error: WWW-Authenticate

And yet, TMSPE diagnostics in TMS shows no alarms; it's all green.

TAC is working on it though.

Anyone seen this before ?

/jens

Please rate replies and mark question(s) as "answered" if applicable.
  • TelePresence
Everyone's tags (6)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

HTTP Exception after migrating TMS with TMSPE

Thanks for the clarification Jens And I'm talking internally to all those involved here since it appears we have 'several hands in the kitchen' (as well as different kitchens) concernng this one...meaning let's use the official channels for troubleshooting this one and we'll simply update this thread with what the outcome was...agreed?

Cisco Employee

Re: HTTP Exception after migrating TMS with TMSPE

Hi Guys,

After about 4 hours on a case, I have figured out what is causing this issue. I am able to replicate this in the lab as well.

This issue is what is sent in the 401 Unauthorized from TMS. The working message stream is as follows:

1. VCS sends 4 GET messages to TMS (1 for each TMSPE service)

2. TMS sends a 401 Unauthorized with the following 3 lines:

    WWW-Authenticate: Negotiate

    WWW-Authenticate: NTLM

    WWW-Authenticate: Basic

3. VCS sends 4 GET messages with a selected authentication method

The failed message stream is as follows:

1. VCS sends 4 GET messages to TMS (1 for each TMSPE service)

2. TMS sends a 401 Unauthorized with the following 3 lines:

    WWW-Authenticate: Basic

    WWW-Authenticate: Negotiate

    WWW-Authenticate: NTLM

3. VCS doesn't send anything

Notice how Basic authentication is listed first. When the VCS receives the 401 it doesn't send the GET messages at all. This is the issue at hand. The VCS is expecting Basic to be listed in the 3rd spot. You can still change the order of NTLM or Negotiate by following the steps in my previous post.

To change the order of the Basic message you need to change the order in which it lists in the modules portion of IIS.

From what I have found you will most likely have to modify the applicationHost.config file. In the GUI you can move this up using the modules section but I have found that the items are locked and are unable to move in the GUI.

The file is located in C:\Windows\System32\inetsrv\config

To fix it I have written the following steps below:

1. Backup the applicationHost.config file

2. Stop the WWW Publishing service on the Windows server

3. Edit the applicationHost.config file by opening it in Notepad

*WARNING: This file contains a lot of information that pertains to IIS. If the file is not modified correctly you might have to end up uninstalling and re-installing everything.*

4. Search/Find the string "" without quotes

   You should find only two of them

   Look for the one that looks like this:

  

       

           

5. Look below the modules tag and find the line with:

6. Move the above line in step 5 line anywhere above the following two lines still underneath the tag.

  

  

If the BasicAuthentiacationModule line is below the WindowsAuthenticationModule lines in the file, the Basicauthentication line in the 401 from TMS will be at the top causing failure.

7. Save the file which is located in C:\Windows\System32\inetsrv\config

8. Start the WWW Publishing service

9. Disable and re-enabled the services on the VCS

Let me know if you have further questions.

Chad

35 REPLIES
Cisco Employee

HTTP Exception after migrating TMS with TMSPE

Hey Jens

TMSPE diagnostics does not check the VCS communication errors its only checking health on the TMS server it self that is why you don't see any errors here. You can have all sorts of communication errors to your VCS and the diagnostics will still stay green since the TMS is healthy.

I suspect this to be an IIS issue so I would check the authentication methods in IIS. I found a case showing this error and it was resolved by turning of windows authentication in IIS and turning it back on again... Is the TMS in a domain and the username is typed in with DOMAIN\username in the VCS provisioning configuration (via TMS)?

/Magnus

HTTP Exception after migrating TMS with TMSPE

Hei Magnus,

Aha, that clears up the diagnostics side of it.

TMS is in domain, but I created a local admin user account on the server which also has full site admin rights in TMS, this worked fine with the old server.

Just changed the hostname to reflect the TMS VM hostname, so it's hostname\username, and this is present everywhere it should be; TMS provisioning extension settings page in TMS and also in the VCS provisioning configuration.

By the way, the original tmsng db was copied across to an external VM SQL server, and original tmspe db was copied across to the VM TMS server itself.

I'll take a look at the IIS next, thanks for the tip.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

HTTP Exception after migrating TMS with TMSPE

Just an update.

Still having the http exception issue with TMSPE, been working with TAC for quite a while now trying to resolve it.

So far no luck, case has now been escalated to R&D so hopefully we can get to the bottom of this.

/jens

Please rate replies and mark question(s) as "answered" if applicable.
Cisco Employee

HTTP Exception after migrating TMS with TMSPE

Hi Jens,

This has reached my level and although I don't want to troubleshoot here and also within our internal tools, I responded to the TAC engineer handling the case (Deepti) with basically what Magnus as stated above. For example, is the domain part being provided in the user account you are utilizing in all locations, e.g. CISCO\daleritc? So has to see if this is just on the TMS side, can you  change it to another account (that is in the TMS Site Admin group) in the provisioning extenstion settings page successfully? In addition, I assume your not using HTTPS on the Cisco TMS Connection on the provisioning extension settings page?

And the provisioning extension log is clearly stating you have an authentication issue:

Credentials cannot be used for NTLM authentication: org.apache.commons.httpclient.UsernamePasswordCredentials

org.apache.commons.httpclient.auth.InvalidCredentialsException: Credentials cannot be used for NTLM authentication: org.apache.commons.httpclient.UsernamePasswordCredentials

And with regards to the db locations now, Deepti has told me that both the tmsng and tmspe db are now on the same external SQL server. Can you please confirm, although I don't believe the location of the dbs is the root of your problem.

And finally, was there an OS difference from the physical server to the VM server? Are the TMS and TMSPE installed to the Default Website on the new server? Are there any other applications or something on the new server that may be effecting IIS securities? For example, if you look at the TMSAgent virtual folder, are both basic and windows authentication enabled? No IIS re-directs or anything like that going on?

Let Deepti know I've posted here

Re: HTTP Exception after migrating TMS with TMSPE

Hi Dale,

Old, physical server, where everything worked fine; OS Win 2003 32bit, SQL 2005, both tmsng and tmspe as well as TMS itself sat on this one server.

New VM TMS server; Win 2008 r2 64bit, SQL 2008 r2 svc pack 1 - only TMS runs on this server now.

External SQL server now housing both tmsng and tmspe; OS Win 2008 r2 svc pack 1, SQL 2008.

Nothing else runs on either server.

Domain part included, local user created on TMS server with full site admi rights and authenticating with hostname\username.

Changing credentials to an existing ad account with full admin and site admin rights, makes no difference.

HTTPS not used on the provisioning extension page.

Folder authentications thoroughly examined by 3 different Cisco engineers, so I assume these are correct.

Also got a surprise call from Andrew Bell and Michael McGary this morning, and spent some on Webex with them going through quite a few things. They did add this to the case notes, so might be best to check those too.

cheers jens

Please rate replies and mark question(s) as "answered" if applicable.
Cisco Employee

Re: HTTP Exception after migrating TMS with TMSPE

"New VM TMS server; Win 2008 r2 64bit, SQL 2008 r2 svc pack 1 - only TMS runs on this server now."

So where is the TMSPE app now, if only TMS run on this server now?

I'll cross ref with Michael and Andrew as well as the case notes.

rgds,

Dale

HTTP Exception after migrating TMS with TMSPE

Sorry Dale, should have said:

"New VM TMS server; Win 2008 r2 64bit, SQL 2008 r2 svc pack 1 - only TMS and TMSPE app runs on this server now that  tmspe db has been moved to external SQL server".

/jens

Please rate replies and mark question(s) as "answered" if applicable.
Cisco Employee

HTTP Exception after migrating TMS with TMSPE

Thanks for the clarification Jens And I'm talking internally to all those involved here since it appears we have 'several hands in the kitchen' (as well as different kitchens) concernng this one...meaning let's use the official channels for troubleshooting this one and we'll simply update this thread with what the outcome was...agreed?

HTTP Exception after migrating TMS with TMSPE

Absolutely, I only updated this thread to keep others who might have a similar problem, or encounter a similar problem in the future, informed of the progress - so if someone should Google TMSPE http exception error...well

cheers jens

Please rate replies and mark question(s) as "answered" if applicable.
7415
Views
20
Helpful
35
Replies